On Tue, Jan 01, 2008 at 11:21:50PM +0000, Stephen Usher wrote:
Actually, a better method which would not inconvenience real users is
to have an accumalative delay, i.e. the first error has a 1 second
delay, the second 2 seconds, the third 4 seconds and so on. This
should tar-pit any brute force attack, at least until the script
kiddies just blast the server with a huge number of new connections to
do the job.
Unfortunately, most of the dictionary attacks that we've been seeing will open and attack multiple simultaneous connections. After a single attempt, they'll drop the connection and reconnect.
The only way to mitigate the attacks is a long delay even on a single authentication failure.
We can handle most of the load issue through our hardware load-balancers, but ultimately it's the delay after auth failure that is the only real limiting factor.
Ideally, Dovecot would allow finer control over its process forking (specifically maximum simultaneous connections from a single IP, maximum total connections and maximum authentication attempts before disconnect), but I figured I'd probably be pushing my luck asking for all of it at once. :)
Until those features are in place, larger sites have to just cross their fingers and hope that the current rash of attacks will slow over time.
-- Dean Brooks dean@iglou.com